FreeIPA PKI Certs wont renew "Adjustment limit exceeded"
by T A
On FreeIPA version 4.6.8-5 realized that pki-tomcatd wouldnt start
ipactl status
pki-tomcatd Service: STOPPED
Ran 'getcert list' and found the 'pki-tomcat' cert was expired
Rolled back the system clock to before the cert expired, now starts up
ipactl status
pki-tomcatd Service: STARTED
Tried to renew with 'ipa-getcert resubmit -i "123456"' but it shows "status: CA_UNREACHABLE"
'ipa-cert fix' didnt work either
Checked logs again 'journalctl -t certmonger' and found 'ns-slapd' was giving out this error when it tried to renew 'csngen_adjust_local_time - Adjustment limit exceeded: value - 435060 limit - 86400'
Any way to change the adjustment limit or force this cert to renew anyway?
2 days, 3 hours
Installing FreeIPA server + replica using Ansible Role FreeIPA
by Finn Fysj
The installation of IPA server and replica does not produce desired result.
Even though the mkhomedir is set to true the feature is not enabled in the authselect. Also the replica server does not replicate SUDO and HBAC rules from the IPA master.
Is the only solution to re-install the whole IPA server/replicas stuff? Kinda stupid.
Example of the IPA server role:
- role: freeipa.ansible_freeipa.ipaserver
vars:
ipaserver: "{{ ansible_hostname }}.example"
ipaserver_hostname: "{{ ansible_hostname }}.example"
ipaadmin_password: "test123"
ipadm_password: "test321"
ipaserver_domain: "example.com"
ipaserver_realm: "EXAMPLE.COM"
ipaserver_no_host_dns: true
ipaserver_mem_check: true
ipaserver_install_packages: true
ipaserver_setup_dns: false
ipaserver_no_pkinit: true
ipaserver_no_hbac_allow: true
ipaserver_no_ui_redirect: false
ipaclient_no_ntp: true
ipaclient_mkhomedir: true
ipaclient_no_sudo: false
4 days, 9 hours
kinit: KDC can't fulfill requested option while renewing credentials - which approach?
by Pieter Baele
I tried various approached to get Renewable tickets :
modifying the kdc
modifying krb5.conf
using kadmin.local on every replica to modify the principal; which is not
working - as designed (?)- in IPA
What should I do to get a ticket with the correct R flag from IPA ?
I don't think this is SSSD related (the service needing the renewable
ticket this way is Apache Storm)
Thanks a lot!
4 days, 23 hours
AIX - IPA group membership
by Ronald Wimmer
I can and use IPA users on an AIX client. As well as groups. But somehow
group membership does not seem to be configured correctly...
# id y179768
uid=1246660005(y179768) gid=1246660005(y179768)
# lsgroup -R LDAP ipa-aix-g
ipa-aix-g id=1246690508 users= registry=LDAP
Anyone has a hint what could be misconfigured?
1 week, 6 days
Custom ssl cert for freeipa docker
by Leo O
Hello Guys,
I'm would like to use custom ssl certificates for http and ldap, I saw the following:
https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP
But I wonder how would this be done when using freeipa in a docker/podman container. I mean the container is started with "--read-only" flag. So it's not clear to me what the correct approach here would be. I hope it's not that you have to re-build an own image with the ssl certificates every time?
Background Info: I'm using acme.sh in a VM, which creates my wildcard letsencrypt certificates and puts them on an nfs share. Freeipa should simply use that certificates for http and ldap and that's it. No renewing as this is done by the acme.sh VM itself.
1 month
Visibility/access of Freeipa users to windows on trusted AD
by Francis Augusto Medeiros-Logeay
Hi,
I have searched this everywhere, but can't find it.
I want to grant access to a FreeIPA user to a Windows machine. When I
try to grant the user access on windows, adding it like
FREEIPADOMAIN\freeipauser, I get an error. There is a trust between both
domains, but every place where I see the trusted domain on Windows (for
example when configuring a GPO) I can't search for FreeIPA users.
Is this how it is supposed to be, or how can I see my FreeIPA users on
Windows the same way I see AD users on my freeipa linux clients?
Best,
Francis
--
Francis Augusto Medeiros-Logeay
Oslo, Norway
1 month, 2 weeks
local root can login but freeipa users can't
by barry y
This happen randomly, local root can login through SSH to the affected system but for freeipa user, login was successful but there's no prompt.
When successfully logged in, it only display a message saying "Last login: xxx" and then no prompt.
There's no sssd errors though, restarting the service doesn't help either. While the issue happen to one system, other systems freeipa users can login no problem.
Only way to get out of this is to restart the entire system.
1 month, 4 weeks
Cannot get rid of a replica/agreement
by lejeczek
Hi guys.
Two masters from which third got disconnected in a "dirty"
manner.
-> $ ipa-replica-manage del midway.ccn.priv.dom
Server removal aborted:
Replication topology in suffix 'domain' is disconnected:
Topology does not allow server love.ccn.priv.dom to
replicate with servers:
midway.ccn.priv.dom
Topology does not allow server midway.ccn.priv.dom to
replicate with servers:
love.ccn.priv.dom
punch.ccn.priv.dom
Topology does not allow server punch.ccn.priv.dom to
replicate with servers:
midway.ccn.priv.dom.
-> $ ipa topologysegment-find domain
-----------------
1 segment matched
-----------------
Segment name: punch.ccn.priv.dom-to-love.ccn.priv.dom
Left node: punch.ccn.priv.dom
Right node: love.ccn.priv.dom
Connectivity: both
----------------------------
Number of entries returned 1
-> $ ipa-replica-manage del midway.ccn.priv.dom --force
ipa: WARNING:
/usr/lib/python3.6/site-packages/ipaserver/plugins/dogtag.py:1973:
The subsystem in PKIConnection.__init__() has been
deprecated
(https://www.dogtagpki.org/wiki/PKI_10.8_Python_Changes).
Updating DNS system records
Not allowed on non-leaf entry
I've tried to 'reinitialize' but without success.
Anybody care to share suggestions & thoughts?
many thanks, L.
2 months
FreeIPA on Fedora and dnf system-upgrade
by Ian Pilcher
I am currently running FreeIPA on CentOS 7, and I am considering moving
it to Fedora.
On RHEL and derivatives, in-place upgrades are not supported. It is
necessary to provision a new server, running the new OS version, add it
as a FreeIPA replica, and then decommission the old system.
How does this work on Fedora? Will I be able to use dnf system-upgrade,
or will I find myself having to use the process described above?
--
========================================================================
Google Where SkyNet meets Idiocracy
========================================================================
2 months, 1 week
